"As Finley demonstrated, it’s not impossible to hunt down suspects who use these technologies – it’s just extremely time-consuming and resource-intensive."
Here's the big problem. It can be impossible. If the swatter exercises extreme caution, never registers any device or service in their name, never uses their public IP address for so much as a Google search on "how to swat" and doesn't brag about it online, it is in fact impossible to trace. This makes it tough going into an investigation because you don't know if it's some stupid kid or someone who knows a thing or two about how to remain truly anonymous online. To this point, you'll note there's a common thread in all the stories of this type. It's some stupid kid who gets caught and I highly doubt that's because only kids are swatting. It's because they are catching the dumb ones.
I agree, I think most people who comment here are at a level that they could pull it off without getting caught if their life depended on it. Be your method burner phone, bitcoin with a little voip and tor, or something else it's relatively easy to be anonymous enough over the phone to not be worth the effort.
It's no fun if you swat somebody and don't brag about it afterwards on Twitter/IRC/whatever which will lead authorities straight to them like it has most other criminals.
Which gets me to an interesting theory of how the cyber security field really resembles an ecosystem not unlike what is found in nature. For the most part, a lot of what we call the bad guys are just dumb people who get caught, as you said because they likely can't help themselves from bragging about it. They pulled of a "goof" and think it's funny, many times likely not even considering the criminal nature of the act. All of these people who pull of these exploits (swatting is just an exploit that involves the unauthorized use of law enforcement instead of a kernel) and do so in a rather large and obvious way illicit immune responses. Many hundreds of responses with no one event causing significant harm to the total ecosystem. It's our jobs in the cyber security community to react to these and develop ways to stop them before the inevitable "big one happens," in this case the mass swatter who remains anonymous because they are disciplined, but who also has at their disposal a rudimentary AI system connected to an Asterisk IVR server that can make large volumes of automated swatting calls, causing the US emergency response system to grind to a halt.
This is where there is a very fine line between tackling exploitation via the implementation of technical controls and legal controls. Because the Internet is global, I'm of the mind-set that controlling it via legislative controls has long since past, therefore we'd better be looking for technical solutions before someone exploits the system en masse to cripple a nation.
You only have to mess up once and they will get you. If I was a betting man, I would bet against the attacker. However, there is a civil disobedience aspect to something like this that I find intriguing.
I suspect we'll be seeing a lot of articles that end with some form of "let's make the Internet safer by giving up our privacy and right to anonymity" while the government is trying to pass the anti-encryption bill. Unfortunately, this police officer spent a ridiculous amount of time tracking down someone with no real op-sec skills simply because he wasn't trained to track someone on the web.
Note that I agree we need to treat swatting as a serious and potentially dangerous crime ... But what do we do when all the perps are juveniles?
> Note that I agree we need to treat swatting as a serious and potentially dangerous crime ...
Though perhaps less serious than the one done by the people actually doing said harm? (I.e., the militarized police)
>Unfortunately, this police officer spent a ridiculous amount of time tracking down someone with no real op-sec skills simply because he wasn't trained to track someone on the web.
No. This isn't about someone without OPSEC skills.
This guy was actively trying to get caught, livestreaming these swats and publicly taunting LE on twitter. And even then it took LE disproportionate amounts of time to get to him.
Maybe, but I wonder if issuing fines to a low income household or taking a wage earner off to jail would actually result in worse outcomes in those cases. It is a difficult problem, perhaps we should address it culturally and discover if we truly have a need for so many swat teams like this in the first place. Mission creep may be a contributing factor here.
You cannot tell me with a straight face that someone trying to pull this crap does not know exactly what they're doing.
At a basic level they understand exactly what they're doing. But their prefrontal cortex isn't yet completely developed. So they don't understand just how harmful their actions are.
I did some stupid stuff as a teenager that I certainly am not proud of right now. But, at the time, I didn't at all understand the broader ramifications of my stupid behavior and the harm it caused others.
I don't know. It sounds a bit too much like excuses. I was also a teenager and was not stupid enough to try anything stupid. My reptilian brain always managed to stop me. Like this time I was going to get into a fist fight (it was not my first), I was willing but my reptilian brain was not in agreement. It actually tried to freeze my legs.
The concept of a "reptilian brain" is a) no longer espoused by neuroscientists and b) if true would be the thing egging you on, not freezing your legs.
Recommend you listen to this [1] interview that I heard earlier today. It's by a Stanford neuroscientist, discussing why and how the teenage brain leads their owners to be impulsive, addiction-prone, and just generally idiotic.
The TLDR: they really don't know exactly what they're doing, because the physical substrate for their cognition can't yet support those functions.
The question is why it's necessary to have highly militarized police who respond with overwhelming force at the drop of a hat. Oh wait, that's right, the War on Drugs.
It was fortunate that in this case the target was "a sprawling house in the affluent Atlanta suburb of Johns Creek". Police knock on that house's front door. In other neighborhoods, they simultaneously demolish all doors just before assaulting all the occupants.
Just mentioning this in case anyone had forgotten the purpose of the War on Drugs.
I think the fact that a call is coming from a voip service is not necessarily the problem, the problem is that a voip number can be made extremely easily.
Some sort of "non-anonymous" score can be assigned a voip number. Paying via a credit card or cheque can attach an address to the voip number. Does this address match the reported home of the caller? Does the IP originate from the same area as the caller? Has this voip number been used by the same account for several years?
>Some sort of "non-anonymous" score can be assigned a voip number. Paying via a credit card or cheque can attach an address to the voip number. Does this address match the reported home of the caller? Does the IP originate from the same area as the caller? Has this voip number been used by the same account for several years?
So what you are saying is, before responding to a potentially life threatening emergency call, the police should first obtain a subpoena for the relevant data of the VoIP operator? Or are you saying the police should have unfettered access to payment methods, address and names of everyone who registers a VoIP number?
Voip numbers that have emergency dialing access should be required to get that information. In fact, they are, so you'll note the article mentions a loophole of calling a non emergency number, then asking to be transferred to emergency services.
I don't know how harmful closing that loophole would be for legitimate calls. Can police track how many legit calls were transferred from non-emergency calls, and came from numbers without emergency calling capabilities? Knowing whether that number is negligible or not is important.
> you'll note the article mentions a loophole of calling a non emergency number, then asking to be transferred to emergency services.
The "loophole" is to get to the emergency services for the area they are targeting. You can't dial 911 in British Columbia and get emergency services in Georgia.
Yup. It's not clear from there whether they'd be able to call emergency services somewhere else, but it's implied not (they mention getting a local number to call from).
Even if they could, you could still check whether their phone can call your emergency services directly.
Yes but can't the caller ID be spoofed? At that point, you'll be relying on a system to give you a "sugar score" for a call since you are providing emergency services. But I do agree that a low sugar score combined with a particular type of request should raise some flags.
>Complex anonymity tools mean it can cost $100,000 to identify just one hoax caller.
>Finley estimates he spent more than a thousand hours tracking down those two teenagers, neither of whom will spend much time behind bars, yet this is a crime that can cost police departments as much as $100,000 per incident and could result in fatalities.
The number seems to have been pulled from this sentence, but it refers to the damage caused by the crime, not the cost to investigate. (This seems more plausible than thinking the number came from the thousand hours quote.)
So it appears whoever wrote the sub headline didn't actually read the article.
Edit: also re costs in crime to allowing anonymity:
The stated argument for allowing anonymity doesn't extend to anonymous calling of emergency services. The article points out that such swatters already need to use the loophole of calling a regular number and getting routed to emergency; why not display to that operator whether the call is anonymous, and if so don't let them route it to emergency services? Are there a significant number of legitimate anonymous calls forwarded this way?
>Finley used an email address associated with one Skype account to uncover a personal website for the second swatter, whose online handle was Obnoxious. Using that email, he found a page on the text-sharing website Pastebin where one of Obnoxious’s enemies had revealed his name and address.
$100,000 OSINT... the police did no 'heavy lifting' in this case
The police are the ones deciding how to respond to these (completely unbelievable) calls, and making them face consequences for their actions would be more effective than going on elaborate after-the-fact hunts for the guy that "tricked" them.
The police should take a leaf from Corporal Carrot's book, "[...] a number of offences of murder by means of a blunt instrument, to whit, a dragon, and many further offences of generalized abetting [...]" and prosecute these non-pranks as "assault with a deadly weapon".
Prank carries a connotation that the act should not expose the target to actual danger.
So swatting is arguably a prank (in the sense you write about) but people don't like the label because it is dismissive of the danger created by the swatting.
>Prank carries a connotation that the act should not expose the target to actual danger.
Says who?
Examples of irresponsible and dangerous pranks abound.
More to the point, the intent is still to have a laugh at someone's expense which fits the dictionary definition of "prank" quite well: a practical joke or mischievous act.
In anticipation of the nitpicking over the term "mischief", I submit the google definition thereof: harm or trouble caused by someone or something.
Sorry, but the fact that calling this a prank should get people so upset is really, really bizarre.
I'd say that the people doing it (and that enjoy watching it happen) are trying to downplay it (to themselves as well as others) by calling it a "prank." It toes the line of actually ordering a hit on someone.
The intent is obviously not to kill the target, but I also doubt that the perpetrators would feel any remorse if it ended up in a death (they would rationalize it away as the police's fault, not their own).
It's classification as a prank by the (teenager, gamer, 4chan, etc) culture that encourages this isn't helped by the fact that this is just an escalation of other "use a phone call to rain disorder onto someone's life" pranks:
* Placing large pizza delivery orders for the target.
* For a while you could order free boxes off of the USPS website, and I remember it being a thing where people would get a group to order a ton of boxes and send them to someone.
Many people from that sub-culture see swatting as basically the "nuclear weapon" of those types of revenge "pranks." I can't say that I've personally witnessed the escalation to SWAT'ing, but it seems to be people from that sub-culture/mindset that see SWAT'ing as a funny joke to throw at someone that annoys them.
We can call it that too, but it's still still very strange to suggest that we should ignore the motive.
The motive is clearly to have a laugh at someone's expense. Where I come from, that's qualified as a prank, and does not preclude the act from also being attempted murder.
The extent to which everybody wants to play with words wrt this issue is puzzling.
Here's the big problem. It can be impossible. If the swatter exercises extreme caution, never registers any device or service in their name, never uses their public IP address for so much as a Google search on "how to swat" and doesn't brag about it online, it is in fact impossible to trace. This makes it tough going into an investigation because you don't know if it's some stupid kid or someone who knows a thing or two about how to remain truly anonymous online. To this point, you'll note there's a common thread in all the stories of this type. It's some stupid kid who gets caught and I highly doubt that's because only kids are swatting. It's because they are catching the dumb ones.